secrets: move transmission secret to agenix

This commit is contained in:
Antoine Martin 2022-03-11 18:14:50 +01:00
parent 540968627c
commit 165b30ef9c
8 changed files with 18 additions and 9 deletions

View file

@ -142,7 +142,7 @@ in
transmission = { transmission = {
enable = true; enable = true;
username = "alarsyo"; username = "alarsyo";
password = secrets.transmission-password; secretConfigFile = config.age.secrets."transmission/secret".path;
}; };
}; };

View file

@ -17,6 +17,10 @@
owner = "matrix-synapse"; owner = "matrix-synapse";
}; };
"transmission/secret" = {
owner = "transmission";
};
"users/alarsyo-hashed-password" = {}; "users/alarsyo-hashed-password" = {};
"users/root-hashed-password" = {}; "users/root-hashed-password" = {};
}; };

View file

@ -22,6 +22,8 @@ in
"restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ]; "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
"restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ]; "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
"transmission/secret.age".publicKeys = [ poseidon ];
"users/root-hashed-password.age".publicKeys = machines; "users/root-hashed-password.age".publicKeys = machines;
"users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ]; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
} }

Binary file not shown.

View file

@ -11,7 +11,6 @@ in {
config.my.secrets = { config.my.secrets = {
miniflux-admin-credentials = fileContents ./miniflux-admin-credentials.secret; miniflux-admin-credentials = fileContents ./miniflux-admin-credentials.secret;
transmission-password = fileContents ./transmission.secret;
nextcloud-admin-pass = ./nextcloud-admin-pass.secret; nextcloud-admin-pass = ./nextcloud-admin-pass.secret;
nextcloud-admin-user = fileContents ./nextcloud-admin-user.secret; nextcloud-admin-user = fileContents ./nextcloud-admin-user.secret;

Binary file not shown.

View file

@ -14,6 +14,7 @@ let
mkEnableOption mkEnableOption
mkIf mkIf
mkOption mkOption
optionals
; ;
cfg = config.my.services.matrix; cfg = config.my.services.matrix;
@ -46,7 +47,7 @@ in {
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
extraConfigFiles = lib.optionals (cfg.secretConfigFile != null) [ extraConfigFiles = optionals (cfg.secretConfigFile != null) [
cfg.secretConfigFile cfg.secretConfigFile
]; ];

View file

@ -4,6 +4,7 @@ let
mkEnableOption mkEnableOption
mkIf mkIf
mkOption mkOption
optionalAttrs
; ;
cfg = config.my.services.transmission; cfg = config.my.services.transmission;
@ -27,10 +28,11 @@ in
description = "Name of the transmission RPC user"; description = "Name of the transmission RPC user";
}; };
password = mkOption { secretConfigFile = mkOption {
type = types.str; type = types.nullOr types.path;
example = "password"; default = null;
description = "Password of the transmission RPC user"; example = "/var/run/secrets/transmission-secrets";
description = "Path to secrets file to append to configuration";
}; };
}; };
@ -50,7 +52,6 @@ in
rpc-authentication-required = true; rpc-authentication-required = true;
rpc-username = cfg.username; rpc-username = cfg.username;
rpc-password = cfg.password;
rpc-whitelist-enabled = true; rpc-whitelist-enabled = true;
rpc-whitelist = "127.0.0.1"; rpc-whitelist = "127.0.0.1";
@ -58,7 +59,9 @@ in
# automatically allow transmission.settings.peer-port # automatically allow transmission.settings.peer-port
openFirewall = true; openFirewall = true;
}; } // (optionalAttrs (cfg.secretConfigFile != null) {
credentialsFile = cfg.secretConfigFile;
});
services.nginx.virtualHosts."${webuiDomain}" = { services.nginx.virtualHosts."${webuiDomain}" = {
forceSSL = true; forceSSL = true;